On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework.  In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes several ongoing and planned initiatives.  The report is a follow-up to a prior report issued in January 2018, and was informed to a great extent by the ongoing work of the Multi-stakeholder Group, which is comprised of civil society and business representatives, academics and practitioners, to support the application of the GDPR.  The report will contribute to the Commission’s formal 2-year review of the GDPR to take place in May 2020.

Member States

The Commission emphasizes the success of the GDPR in harmonizing data protection rules across Europe to provide greater legal certainty for individuals and businesses.  This has required the active participation of EU Member States to enact national data protection laws that allocate the necessary powers and resources to their supervisory authorities, specify rules in certain areas, and amend or repeal other national legislation impacted by the GDPR.  While the Commission generally praises the work of the Member States in this regard, it notes that three countries (Greece, Portugal and Slovenia) have yet to pass a post-GDPR national data protection law, and the harmonization of national legislation remains a work in progress across most Member States.  The Commission also acknowledges some developments detrimental to achieving a uniform approach across the EU (e.g., Germany’s stricter requirements for data protection officers) and encourages Member States to take steps to ensure greater harmonization.  Although the GDPR has led to a more consistent set of EU data protection rules, frustratingly for industry, some significant Member State divergences over the interpretation and application of these rules persists.

Supervisory Authorities

In a similar vein, the Commission praises the work of the Member State supervisory authorities, who in its view have exercised their new enforcement powers in a balanced manner that values dialogue over sanctions.  However, the Commission would like to see further cooperation among the supervisory authorities, including alignment with the work of the European Data Protection Board (“EDPB”), enhancing the means for stakeholders to inform the work of the EDPB, and greater efforts to support parties who may lack data protection knowledge or resources (e.g., small and medium-sized businesses).  In this vein, it has been reported that certain Member State supervisory authorities have been critical of the UK Information Commissioner’s failure to consult prior to announcing its statement of intent to impose significant fines upon British Airways and Marriott International, Inc.

Individual rights and businesses’ compliance efforts

The Commission further notes that individuals are showing a greater awareness of their privacy rights under the GDPR and a willingness to exercise those rights.  Nevertheless, efforts in this area should continue to enhance individual participation and prevent any misunderstandings or misinformation about privacy rights.

The Commission also applauds the efforts of businesses to comply with the GDPR, which has undeniably resulted in challenges for some, but has also created a timely opportunity for organizations to enhance internal privacy and data security practices, as well as develop privacy-friendly services.  The Commission also mentions the various tools in the GDPR enabling businesses to demonstrate compliance, including standard contractual clauses, codes of conduct, and GDPR certification.  The Commission indicates it will work with stakeholders to maximize the value of these tools by updating the existing clauses and supporting certification schemes in line with the recently adopted EDPB guidelines.  The Commission also voices its support for related tools available under the GDPR (e.g., other types of standard clauses, such as those recently submitted by the Danish supervisory authority and reviewed by the EDPB).

International cooperation

The Commission highlights what it refers to as the “upward convergence” of the GDPR at the international level, as many countries are now adopting or drafting privacy laws that echo the substance and principles of the GDPR, such as in Brazil and India, resulting in a global shift in the area of data privacy.  The Commission also notes the recent EU-Japan mutual adequacy arrangement (creating “the world’s largest area of free and safe data flows”), alludes to other forthcoming adequacy findings, indicates its desire to engage new countries and regions in adequacy discussions, and underscores its current work to update existing adequacy findings for various countries.

The Commission also states its aim to “harness the full potential” of the GDPR to enable international transfers of personal data, reiterating its intention to take action on standard contractual clauses and support the development of other transfer mechanisms.  This initiative will be important, given pending challenges before the EU courts with respect to two key transfer mechanisms, standard contractual clauses and the U.S.-EU Privacy Shield, reported here.  The Commission also mentions ongoing efforts for international cooperation to combat crime and terrorism, as well as coordination with data protection enforcement powers in other countries to facilitate cooperation and mutual assistance.

Data protection legislation across EU legal policy

Finally, the Commission notes other areas of EU policy wherein data protection rules form an integral component of the legal framework, particularly:

  • telecommunications and electronic communication services;
  • health and research;
  • artificial intelligence;
  • transport;
  • energy;
  • competition;
  • elections; and
  • law enforcement.

The Commissions concludes its report by stating that the first year of the application of the GDPR has been overall positive, but there is still work to be done in a number of areas.  This is an understatement.