On June 24, 2020, the European Commission (“the Commission”) submitted its first report on the evaluation and review of the EU General Data Protection Regulation (“GDPR”) to the European Parliament and Council. The report is required under Article 97 of the GDPR and will be produced at four year intervals going forward.
In its report, the Commission concludes that generally the GDPR has successfully met its objectives, namely those of strengthening personal data protection and guaranteeing the free flow of personal data within the EU. It also, however, identified a number of areas for improvement, as highlighted below.
Separately, the Commission referred to its ongoing work in relation to the ePrivacy Regulation, which is set to replace the ePrivacy Directive and further harmonize the EU approach to data protection, commenting that it is “very important to ensure its rapid adoption.”
Fragmentation Between Member States
The report highlights the areas in which the Commission has seen fragmentation among Member States in application of the law. There are several provisions in the GDPR that allow for Member States to legislate or provide their own specifications, one of which relates to the age at which children may provide consent for the purposes of information society services. The Commission noted that this is one area where Member States have diverged, creating uncertainty for both children and their parents in the Single Market and difficulties for businesses working across borders. The report adds, “For the effective functioning of the internal market and to avoid unnecessary burden on companies, it is also essential that national legislation does not go beyond the margins set by the GDPR or introduce additional requirements when there is no margin.”
Similar fragmentation can be seen in the approach taken towards derogations to the GDPR’s general prohibition on the processing of special category data. The Commission states that it is in the process of mapping these approaches with a view to supporting the establishment of a code of conduct in order to contribute to a more consistent approach.
The Commission also acknowledges that while guidelines from the European Data Protection Board (“EDPB”) have been welcomed, issues have been raised in relation to inconsistencies between EDPB guidelines and guidance issued nationally.
The Commission states, however, that given the limited practical experience that has been gained so far and the fact that sector-specific legislation is under revision in many Member States, definitive conclusions on fragmentation could not yet be drawn. The Commission also points to the relevant case law of national courts and the Court of Justice as providing some guidance on issues of divergence, stating that this case law “helps to create a consistent interpretation of data protection rules,” and adding that national courts have already issued judgements that invalidate national provisions that depart from the GDPR.
In the future, the Commission recommends that Member States consider limiting their use of specification clauses in a way that could create fragmentation and prevent the free flow of data in the EU. It also states that it will explore whether possible targeted amendments to GDPR provisions might be appropriate, for example, by harmonizing the age of consent for children.
Enforcement
The report notes that data protection authorities (“DPAs”) have made use of their strengthened enforcement powers under the GDPR, not only with warnings, reprimands and fines, but also through bans on processing, which the Commission regards as potentially a more effective deterrent.
When it comes to cooperation between Member States, however, the Commission notes that the development of a “truly common European data protection culture” is ongoing, and that the management of cross-border cases requires improvement, including from a procedural perspective. Furthermore, the report points to an imbalance in the resources allocated to DPAs across Member States. The Commission acknowledges that Ireland and Luxembourg, as technology hubs, are likely to lead on many significant cross-border cases and additional resources may therefore be warranted in those jurisdictions. It acknowledges that many DPAs saw budgets and employee numbers grow over the past two years, but it comments that the imbalance in resource allocation between Member States is not currently satisfactory. Member States are called on to provide DPAs with adequate resources to fulfill their function, as required by the GDPR.
Emerging Technologies
The report foresees issues arising with respect to the use of emerging technologies such as artificial intelligence (“AI”), though it refers to the GDPR as having been conceived in a technology-neutral and principles-based manner. The report states: “Future challenges lie ahead in clarifying how to apply the proven principles to specific technologies such as artificial intelligence, blockchain, Internet of Things or facial recognition which require […] monitoring on a continuous basis […] In this respect, data protection authorities should be ready to accompany technical design processes early on.”
The Commission also notes that the flexibility of the GDPR has been demonstrated during the COVID-19 crisis, for example, with regard to its application to contact tracing applications. The report invites the EDPB to issue guidelines on the application of the GDPR in several areas, including artificial intelligence, blockchain and possible other technological developments.
Data Subject Rights
The Commission states that further work is needed in facilitating the exercise of data subject rights, particularly the right to data portability. The report refers to this right as having clear but unused potential to “put individuals at the centre of the data economy by enabling them to switch between different service providers, to combine different services, use other innovative services and to choose the most data protection-friendly services.”
The Commission highlights unlocking this potential as a priority to avoid consumers being faced with unfair practices and “lock-in” effects and to yield benefits in a variety of sectors. It points to the design of appropriate tools, standardized formats and interfaces as a starting point, commenting that increased use of the data portability right could allow individuals to use their data for the public good, such as for health research purposes.
Adequacy Decisions
With regard to data transfers outside of the EU, the report highlights that the Republic of Korea is at an “advanced stage” in the adequacy process, and that exploratory talks are underway with partners in Asia and Latin America. Regarding the United Kingdom, the Commission states, “Adequacy also plays an important role in the context of the future relationship with the United Kingdom, provided that the applicable conditions are met […] In line with the Political Declaration on the Future Relationship between the EU and the UK, the Commission is currently carrying out an adequacy assessment under both the GDPR and the Data Protection Law Enforcement Directive.”
Extra-Territorial Reach
The Commission comments that DPAs should ensure their enforcement actions include foreign operators in the EU market in order to ensure a true, level playing field in the EU. In particular, the Commission highlights that such actions should involve the controller or processor’s representative in the EU. The report states, “This approach should be pursued more vigorously in order to send a clear message that the lack of an establishment in the EU does not relieve foreign operators of their responsibilities under the GDPR.”
The full report is available for review.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code