European Commission publishes review of General Data Protection Regulation (2016/679/EU)

The Commission says that the report shows that the GDPR has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.

The report finds that the GDPR has proved to be flexible enough to support digital solutions in unforeseen circumstances, such as the Covid-19 crisis. The report also concludes that harmonisation across the Member States is increasing, although there is a certain level of fragmentation that must be continually monitored. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage.

The report also sets out a list of recommendations to facilitate further the application of the GDPR, in particular in relation to small and medium-sized companies.

Key findings of the GDPR review:

  • citizens are more empowered and aware of their rights: 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority. However, more needs to be done to help citizens exercise their rights, notably the right to data portability;
  • data protection rules are fit for the digital age: the GDPR has empowered individuals to play a more active role in respect of their data in the digital transition. It is also contributing to fostering trustworthy innovation, notably through a risk-based approach and principles such as data protection by design and by default;
  • data protection authorities are making use of their stronger enforcement powers: from warnings and reprimands to administrative fines, the GDPR provides national data protection authorities with the right tools to enforce the rules. However, they need to be adequately supported with the necessary human, technical and financial resources. Many Member States are doing this, with notable increases in budgetary and staff allocations. However, there are still stark differences between Member States;
  • data protection authorities are working together in the European Data Protection Board (EDPB), but there is room for improvement: the GDPR established an innovative governance system that is designed to ensure a consistent and effective application of the GDPR through the so called “one stop shop”. Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the “one-stop-shop”, 79 of which resulted in final decisions. However, more needs to done to develop a truly common data protection culture.
  • advice and guidelines by data protection authorities: the EDPB is issuing guidelines covering key aspects of the GDPR and emerging topics. Several data protection authorities have created new tools, including helplines for individuals and businesses, and toolkits for small and micro-enterprises. It is essential to ensure that guidance provided at national level is fully consistent with guidelines adopted by the EDPB;
  • harnessing the full potential of international data transfers: over the past two years, the Commission’s international engagement on free and safe data transfers has yielded important results. This includes Japan, with which the EU now shares the world’s largest area of free and safe data flows. The Commission will continue its work on adequacy, with its partners around the world; and
  • promoting international cooperation: over the last two years, the Commission has stepped up bilateral, regional and multilateral dialogue, fostering a global culture of respect for privacy and convergence between different privacy systems. The Commission says it is committed to continuing this work as part of its broader external action.

To read the Commission’s news release in full and for a link to the review, click here.