On June 24, 2020, the European Commission (“Commission”) published its much-anticipated assessment of the EU’s General Data Protection Regulation (“GDPR”) two years after it went into effect. The assessment takes into account contributions from the European Council, the European Parliament, the European Data Protection Board (“EDPB”), individual supervisory authorities, the Multi-Stakeholder Expert Group and other stakeholders. The assessment considers a wider scope of issues surrounding GDPR implementation beyond international transfers and the cooperation and consistency mechanisms, the two topics the Commission is specifically tasked to consider under Article 97 of the GDPR.
The Commission’s overall conclusion is that the GDPR has successfully achieved its objectives of enhancing the protection of personal data and improving the free flow of personal data within the EU. The Commission specifically highlights the key role that the GDPR plays in the EU’s “human-centric approach to technology,” and notes that it will serve as a guiding legal framework for the EU as it rolls out its broader Data Strategy. The Commission also notes the impact that the GDPR has had worldwide, inspiring new or elevated standards for data protection in many countries, and serving as a “global standard-setter” for regulating the digital economy.
Notwithstanding these achievements, the Commission also makes clear that there are a number of areas for improvement.