On June 24, 2020, the European Commission (“Commission”) published its much-anticipated assessment of the EU’s General Data Protection Regulation (“GDPR”) two years after it went into effect.  The assessment takes into account contributions from the European Council, the European Parliament, the European Data Protection Board (“EDPB”), individual supervisory authorities, the Multi-Stakeholder Expert Group and other stakeholders.  The assessment considers a wider scope of issues surrounding GDPR implementation beyond international transfers and the cooperation and consistency mechanisms, the two topics the Commission is specifically tasked to consider under Article 97 of the GDPR.

The Commission’s overall conclusion is that the GDPR has successfully achieved its objectives of enhancing the protection of personal data and improving the free flow of personal data within the EU.  The Commission specifically highlights the key role that the GDPR plays in the EU’s “human-centric approach to technology,” and notes that it will serve as a guiding legal framework for the EU as it rolls out its broader Data Strategy.  The Commission also notes the impact that the GDPR has had worldwide, inspiring new or elevated standards for data protection in many countries, and serving as a “global standard-setter” for regulating the digital economy.

Notwithstanding these achievements, the Commission also makes clear that there are a number of areas for improvement.

  • Enforcement. The Commission states that although the supervisory authorities have struck a good balance in their chosen methods of enforcing the GDPR, they have not yet made full use of the powers available to them.  Areas where the Commission would like to see improvement include initiating joint investigations and providing more practical and concrete advice that is consistent at both the national and EDPB level.  The Commission also calls on the supervisory authorities to improve the handling of cross-border cases by updating complaint handling procedures, streamlining administrative timelines, and ensuring individuals are given due process.  The Commission highlights the fact that Member States must provide the supervisory authorities with sufficient human, technical and financial resources to enable them to carry out these important tasks.
  • Harmonization. The Commission states that EU Member States have extensively used the provisions in the GDPR which require or allow Member States to legislate or derogate from the GDPR in some areas.  According to the Commission, this has resulted in a degree of fragmentation which creates challenges to conducting cross-border business. Here, the Commission especially calls out national variations on the age of consent for minors, legislation related to freedom of expression/information, and derogations to the rules for processing special categories of personal information (especially health data).  The Commission states that it is currently mapping out the different approaches taken with respect to derogating  from the general prohibition for processing special categories of personal data.  The Commission aspires to create a more harmonized approach in the EU, such as through the creation of codes of conduct.  The Commission also states its concern that EU Member States have introduced legislation in some areas that “goes beyond the margins” established in the GDPR, thereby undermining the harmonization effect of the Regulation.
  • Data Subjects Rights. While the Commission is encouraged about the increased awareness and exercise of privacy rights under the GDPR, it highlights that there is a need to further facilitate the exercise of these rights.  In this respect, the Commission welcomes the proposed EU Directive on Representative Actions, which received political agreement from the Council and European Parliament on June 22, 2020.  This Directive sets out a harmonized framework for collective actions brought by consumers in areas such as data protection.  The Commission would also like to see progress made around the right of data portability, to both enhance user choice and stimulate competition on the market.
  • Small and Medium-Sized Enterprises (“SMEs)”. The Commission acknowledges that some SMEs may face challenges in complying with the GDPR, but points to the practical tools and resources that several supervisory authorities have made available, and encourages further progress in this area.
  • New Technologies. The Commissions notes that challenges lie ahead in applying the principles of the GDPR to evolving technologies such as artificial intelligence, blockchain, the Internet of Things, and facial recognition.  The Commission asks the supervisory authorities to follow technological developments early on and ensure strong and effective enforcement against large digital platforms and other integrated companies, particularly those involved in online advertising and targeting.
  • International Transfers.  In addition to highlighting the mutual adequacy decision the EU reached with Japan in 2019, as well as the advanced status of its adequacy negotiations with South Korea, the Commission indicates that it is engaging other countries in adequacy discussions and completing its mandatory review of existing adequacy decisions.  Moreover, the Commission mentions its ongoing adequacy assessment of the United Kingdom, both for purposes of the GDPR and Law Enforcement Directive, to determine the path forward for EU/UK data flows in a post-Brexit world.  The Commission notes that it is currently modernizing its standard contractual clauses for controllers and processors in order “to better reflect the realities of processing operations in the modern digital economy.”  Notably, the Commission alludes here to the upcoming decision of the Court of Justice of the European Union (“CJEU”) in the Schrems II case (due on July 16, 2020), noting that it may “provide clarifications that could be relevant for certain elements of the adequacy standard,” and impact the Commission’s assessment of safeguards for international transfers.  The Commission also asks the EDPB to streamline the approval process for Binding Corporate Rules (“BCRs”) and pick up the pace on its work related to codes of conduct and certifications, as well as clarifying how the transfer rules should be understood in light of the GDPR’s extraterritorial scope provisions.
  • International Cooperation. The Commission highlights its ongoing efforts in promoting international dialogue and cooperation in the area of data protection, such as through the newly formed EU-Africa Partnership.  The Commission has also been developing specific provisions on data flows in bilateral and multilateral trade agreements, and working with other governments to help avoid conflict of law issues becoming a barrier for companies operating in the European market. The Commission also highlights the importance of ensuring that when companies are asked to respond to legitimate data access requests from law enforcement, they can do so without facing a conflict of law and in full respect of EU fundamental rights.  The Commissions continues to discuss with other governments to enhance cooperation and mutual assistance mechanisms, and plans to set up a “Data Protection Academy” as a platform for sharing knowledge and best practices, as well as supporting international cooperation, in the area of data protection.

In concluding its 2-year assessment of the GDPR, the Commission sets out a “to-do” list of action items for itself, EU Member States, the EDPB, and the supervisory authorities, calling on all these stakeholders to take up certain key actions as a matter of priority.  The following action items are noteworthy:

  • the Commission calls upon the EDPB to ensure the effective enforcement of the GDPR against operators established in third countries falling under the GDPR’s extraterritorial scope;
  • the Commission reiterates its call for EU Member States to provide sufficient resources to their supervisory authorities and limit the introduction of national laws that would result in a fragmentation of the GDPR, hinting that it may pursue infringement procedures against Member States in appropriate cases;
  • the Commission indicates that it may propose certain amendments to the GDPR, to simplify obligations for SMEs and harmonize areas such as the age of consent for minors;
  • the Commission proposes to encourage, including through financial support, the drafting of EU codes of conduct in the areas of health and research;
  • the Commission encourages supervisory authorities to limit the use of provisions that deviate from the GDPR and that may engender fragmentation; and
  • the Commission also calls upon supervisory authorities and the EDPB to give clear and actionable guidance on a variety of topics, step up their cooperation, develop practical tools, streamline approval procedures, and support the development of codes of conduct.

With the 2-year review now published, the Commission notes that it will monitor the completion of these action items in its next GDPR evaluation report, due in 2024.