The European Commission has published an evaluation report on the GDPR. It states that the GDPR has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.
According to the report, the GDPR proved to be flexible to support digital solutions in unforeseen circumstances such as the Covid-19 pandemic. The report also concludes that harmonisation across member states is increasing, although there is a certain level of fragmentation that must be continually monitored. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage. The report sets out a list of actions to facilitate further the application of the GDPR for all stakeholders, especially for SMEs, to promote and develop a European data protection culture and robust enforcement.
Key findings of the GDPR review
Citizens are more empowered and aware of their rights: The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability. According to a survey, 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority. However, more can be done to help citizens exercise their rights, notably the right to data portability.
Data protection rules are fit for the digital age: The GDPR has empowered individuals to play a more active role in relation to what is happening with their personal information. It is also contributing to fostering trustworthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.
Data protection authorities are making use of their stronger corrective powers: From warnings and reprimands to administrative fines, the GDPR provides national data protection authorities with the right tools to enforce the rules. However, they need to be adequately supported with the necessary human, technical and financial resources. Many member states are doing this, with notable increases in budgetary and staff allocations. However, there are still stark differences between member states.
Data protection authorities are working together in the context of the European Data Protection Board (EDPB), but there is room for improvement: the GDPR established a governance system which is designed to ensure a consistent and effective application of the GDPR through the so called ‘one stop shop’, which provides that a company processing data cross-border has only one data protection authority as interlocutor, that is the authority of the member state where its main establishment is located. However, more can be done to develop a truly common data protection culture. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to cooperate.
Advice and guidelines by data protection authorities: the EDPB is issuing guidelines covering key aspects of the GDPR and emerging topics. Several data protection authorities have created new tools, including helplines for individuals and businesses, and toolkits for small and micro-enterprises. It is essential to ensure that guidance provided at national level is fully consistent with guidelines adopted by the EDPB.
Harnessing the full potential of international data transfers: Over the past two years, the Commission’s has worked with international partners. The Commission will continue its work on adequacy, with its partners around the world. In addition and in cooperation with the EDPB, the Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses, the most widely used data transfer tool. The EDPB is working on specific guidance on the use of certification and codes of conduct for transferring data outside the EU, which need to be finalised as soon as possible taking into account the Schrems II decision due on 16 July.
Promoting international cooperation: Over the last two years, the Commission has stepped up bilateral, regional and multilateral dialogue, fostering a global culture of respect for privacy and convergence between different privacy systems to the benefit of citizens and businesses alike. The Commission will seek authorisation from the Council to open negotiations for the conclusion of mutual assistance and enforcement cooperation agreements with relevant third countries.
Alignment with Data Protection Law Enforcement Directive
In addition, the European Commission has also published a Communication that identifies ten legal acts regulating processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences which should be aligned with the Data Protection Law Enforcement Directive. The alignment aims to bring legal certainty and to clarify issues such as the purposes of the personal data processing by the competent authorities and what types of data may be subject to such processing.