HomeInsightsEuropean Commission publishes Communication on “Data protection rules as a trust-enabler in the EU and beyond – taking stock”

Article by

Just over one year after the entry into application of the General Data Protection Regulation, the European Commission has published a Communication to the European Parliament Council on the impact of the EU data protection rules, and how implementation can be improved further.

The Commission says that the report concludes that most Member States have set up the necessary legal framework, and that the new system strengthening the enforcement of the data protection rules is falling into place. Businesses are developing a compliance culture, while citizens are becoming more aware of their rights. At the same time, convergence towards high data protection standards is progressing at international level.

The Commission also says that although the GDPR has made EU citizens more aware of data protection rules and of their rights, only 20% know which public authority is responsible for protecting their data. The Commission has therefore launched a new campaign to encourage Europeans to read privacy statements and to optimise their privacy settings.

While the new data protection rules have achieved many of their objectives, the Communication also sets out concrete steps to further strengthen these rules and their application:

  • one continent, one law: all but three Member States (Greece, Portugal and Slovenia) have updated their national data protection laws in line with the GDPR. The Commission will continue to monitor Member State laws to ensure that when they specify the GDPR in national laws, it remains in line with the Regulation and that their national laws are not a “gold-plating exercise”. If needed, the Commission says it will not hesitate to use the tools at its disposal, including infringements, to make sure Member States correctly transpose and apply the rules;
  • businesses are adapting their practices: the Commission says that compliance with the GDPR has helped companies increase the security of their data and develop privacy as a competitive advantage. The Commission says it will support the GDPR toolbox for businesses to facilitate compliance, such as standard contractual clauses, codes of conduct and new certification mechanism. In addition, the Commission will continue supporting SMEs in applying the rules;
  • stronger role of data protection authorities: the GDPR has given national data protection authorities more powers to enforce the rules. During the first year, national data protection authorities have made use of these new powers effectively when necessary. Data protection authorities are also cooperating more closely within the European Data Protection Board. By the end of June 2019, the cooperation mechanism had managed 516 cross-border cases. The Commission wants the EDPB to step up its leadership and continue building a EU-wide data protection culture. It also encourages national data protection authorities to pool their efforts for instance by conducting joint investigations. The Commission says it will continue to fund national data protection authorities in their efforts to reach out to stakeholders; and
  • EU rules as reference for stronger data protection standards across the globe: the Commission says that as more and more countries across the world equip themselves with modern data protection rules, they are using the EU data protection standard as a reference point. This upwards convergence is opening up new opportunities for safe data flows between the EU and third countries. The Commission says it will further intensify its dialogues on adequacy, including in the area of law enforcement. In particular, it aims at concluding the ongoing negotiations with the Republic of Korea in the coming months. Beyond adequacy, the Commission aims to explore the possibility to build multilateral frameworks to exchange data with trust.

In line with the GDPR, the Commission will report on its implementation in 2020 to assess the progress made after two years of application including on the review of the 11 adequacy decisions adopted under the 1995 Directive. To read the Commission’s press release in full and for a link to the Communication, click here.