The European Commission has published its evaluation report of the application of the General Data Protection Regulation, with a particular focus on encouraging more efficient and co-ordinated management of cross-border cases across the EU. The report also considers a number of issues relating to the transfer of personal data to third countries, and the implications for adequacy decisions including for the UK post-Brexit.
The Commission's over-arching theme is that GDPR has successfully met its objectives of strengthening individuals' data rights, whilst also guaranteeing the free flow of personal data. But the report does identify a number of areas for improvement, concluding therefore that it is too soon to reach conclusions about GDPR's overall scorecard. However, with the COVID-19 crisis demonstrating the "globalisation of the privacy debate", the Commission claims that GDPR has positioned the EU as a "global standard-setter for the regulation of the digital economy".
Challenges of GDPR and areas for action
Areas for focus identified in the report include the following:
- Enforcement and co-operation in cross-border cases.
National data protection authorities (DPAs) have made 'balanced use' of their enhanced corrective powers, and developed collaborative approaches through the one-stop-shop mechanism (141 draft decisions were submitted through the procedure between 25 May 2018 and 31 December 2019, with 79 resulting in a final decision). However, DPAs have not so far made full use of GDPR's tools, such as those relating to joint operations and investigations. Indeed, the Commission suggests opportunities have been missed by 'moving to the lowest common denominator'.
DPA resources are highlighted as a particular concern. Whilst many DPAs have seen increases in their budget and staff numbers (the report highlights the Ireland and Luxembourg DPAs, who are acting as lead authority in many significant cross-border cases), this has not been the case across the board. In this regard, it is notable that the UK's Information Commissioner appears not to consider itself poorly resourced. It recently told us, in response to questions as to whether it felt it needed a larger budget: “We continually invest in strengthening the ICO in both number and expertise and presently employ nearly 800 staff. We have over 200 case officers working on issues raised by the public and over 100 staff in our enforcement department taking forward our investigations. We also have well resourced departments developing our information rights policies and guidance.”
- Fragmentation and divergence
Whilst GDPR brought harmonisation, there are certain areas where Member States were required to implement specific legislation. As might have been anticipated, this has led to inconsistencies and therefore to ambiguities. Examples include the age at which children can consent to information society services, national derogations from the general prohibition for processing special categories of personal data, and the approach to the balance between data protection and freedom of expression and information. The Commission will review national legislation and suggests establishing codes of conduct may lead to a more consistent approach.
- Individuals' control over their data
GDPR has clearly enhanced individuals' awareness of their data protection rights: the EU Fundamental Rights Survey 2019 revealed that 69% of the EU population (aged 16+) had heard of GDPR, and (somewhat surprisingly) 71% knew of their national DPA. Interestingly, in the UK, levels of awareness of GDPR were at a similar level to the EU average, but – notably - only 35% had heard of the ICO.
The report trails the proposed Directive on representative actions, which will introduce the prospect of collective actions, including for data protection cases, in Member States. It also identifies as a priority unlocking the potential of the right to data portability.
The report recognises that SMEs have found GDPR especially challenging: however, it rejects any deviation from GDPR instead calling upon greater use of the GDPR toolbox for the benefit of such companies. Again, codes of conduct are suggested as a key step.
- Applying GDPR to new technologies
Whilst GDPR was drafted to be technology neutral, debates are already ongoing as to how its principles apply in the context of technologies such as AI, blockchain, IoT and facial recognition, and also in relation to online advertising and micro-targeting. There are no specific proposals are made in the report, but the issue needs to be seen in the wider context of the EU's Digital Strategy, as well as initiative and investigations in individual Member States.
- A 'modern international data transfer toolbox'
International data transfers form a significant part of the Commission's evaluation of GDPR, and also its current work programme. The adequacy decision for the Republic of Korea is at an advanced stage, with exploratory talks beginning with other Asian, and Latin American, countries. However, all eyes, of course, are on whether the UK will be given an adequacy decision (or something equivalent) before the end of the Brexit transition period. Whilst the report stresses the need for a high degree of convergence between the UK and EU on data protection, statements from the Commission officials when launching the report also drew attention to serious concerns within the EU that the UK may seek to deviate from GDPR.
Separately, the Commission notes the forthcoming CJEU decision in Schrems which may have implications for adequacy assessments, as well as the Commission's own modernisation programme for standard contractual clauses. We will be recording a rapid response podcast on the CJEU's Schrems decision due out on 16 July, given its potential implications for international data flows and a UK adequacy decision.
- International convergence and co-operation
With many legislators identifying GDPR as a key reference point for their own data protection schemes (for instance, the DIFC's new data protection laws are closely aligned with GDPR), the Commission wishes to promote convergence of standards, whilst also tacking digital protectionism. That said, it also emphasises the extra-territorial dimension of GDPR and calls upon DPAs to pursue actions against non-EU data controllers/processors more vigorously, including by involving their EU representative.