What are the main conclusions of the report?
-Two years after its entry into application, the GDPR has been an overall success, meeting many of the expectations, even if a number of areas for future improvement have also been identified.
-Like most stakeholders and data protection authorities, the Commission is also of the view that it would be premature to draw definite conclusions as to the application of the GDPR and to provide for proposals for its revision.
-It is likely that most of the issues identified by Member States and stakeholders will benefit from more experience in the application of the Regulation in the coming years.
-Increasing global convergence around principles that are shared by the GDPR offers new opportunities to facilitate safe data flows, to the benefit of citizens and businesses alike.
What improvements has the GDPR brought?
-Citizens are more empowered and aware of their rights. The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability. Individuals also have the right to lodge a complaint with a data protection authority and to seek an effective judicial remedy. Today 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority, according to results published in a survey from the EU Fundamental Rights Agency. The GDPR has empowered individuals to play a more active role on what is happening with their data in the digital transition. It is also contributing to fostering trust-worthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.
-Businesses, including SMEs, now have just one set of rules to which to adhere. The GDPR also creates a level playing field with companies not established in the EU but operating here. By establishing a harmonised framework for the protection of personal data, the GDPR ensures that all businesses in the internal market are bound by the same rules and benefit from the same opportunities, regardless of whether they are established and where the processing takes place. In addition, privacy has become a competitive quality that customers are increasingly taking into consideration when choosing their services. For SMEs, the implementation of the right to data portability has the potential to lower the barriers to entry to data protection friendly services. Compliance with the data protection rules and their transparent application will create trust between business and consumers when it comes to the use of their personal data.
How is the GDPR being applied to new technologies?
The GDPR is an essential and flexible tool to ensure the development of new technologies in accordance with fundamental rights. The implementation of the core principles of the GDPR is particularly crucial for data intensive processing. The risk based and technology neutral approach of the Regulation provides a level of data protection, which is adequate to the risk of the processing also by emerging technologies.
The GDPR's technologically-neutral and future-proof approach was put to the test during the COVID-19 pandemic and has proven to be successful. Its principles based rules supported the development of tools to combat and monitor the spread of the virus.
The future proof and risk-based approach of the GDPR will also be applied in the future EU framework for Artificial Intelligence and in the implementation of the European Data Strategy. The Data strategy aims at fostering data availability and at the creation of Common European Data Spaces.
How is the cooperation and consistency mechanism working in practice?
Data protection authorities have been very actively working together as members of the EDPB. They already use the cooperation tool of mutual assistance intensively. With regard to the consistency mechanism, the EDPB adopted several opinions over the past two years. However, neither a dispute resolution nor an urgency procedure have yet been triggered.
More generally and as the report shows, the handling of cross-border cases needs a more efficient and cohesive approach when using the cooperation tools provided in the GDPR. There is a very broad consensus from the European Parliament, the Council, stakeholders and by the data protection authorities on this.
The main issues to be tackled in this context include:
-differences in national administrative procedures;
-varying interpretations of concepts relating to the cooperation mechanism;
-and varying approaches regarding the start of the cooperation procedure, the timing and communication of information.
The EDPB has indicated that it will clarify procedural steps to enhance cooperation between the lead data protection authority and the concerned data protection authorities.
How does the GDPR contribute to global data protection standards?
The GDPR has emerged as a reference point and acted as a catalyst for many countries and states around the world considering how to modernise their privacy rules. Chile, South Korea, Brazil, Japan, Kenya, India, Tunisia, Indonesia, Taiwan and the state of California, to name but a few. International instruments, such as the modernized “Convention 108” of the Council of Europe, or the “Data Free Flow with Trust” initiative launched by Japan are also based on principles that are shared by the GDPR.
This trend towards global convergence brings new opportunities for increasing the protection of Europeans while, at the same time, facilitating data flows and lowering transaction costs for business operators.
How has the GDPR facilitated international data flows?
The GDPR offers a modernised toolbox to facilitate the transfer of personal data from the EU to a third country or international organisation, while ensuring that the data continues to benefit from a high level of protection. This continuity of protection is important, given that in today's world data moves easily across borders and the protections guaranteed by the GDPR would be incomplete if they were limited to processing inside the EU. The toolbox includes actively engaging with key partners with a view to reaching an adequacy finding and yielded important results such as the creation between the EU and Japan of the world's largest area of free and safe data flows. Ongoing work also concerns other transfer mechanisms, such as standard contractual clauses and certification, to harness the full potential of the GDPR rules on international transfers.
How is the GDPR being enforced? What enforcement measures have been taken so far?
The GDPR gives national data protection authorities harmonised and strengthened enforcement powers.
Since the entry into application of the Regulation, data protection authorities are making use of a wide range of corrective powers provided by the GDPR, such as administrative fines, warnings and reprimands, orders to comply with data subject's requests, orders to bring processing operations into compliance with the Regulation, to rectify, erase or restrict processing.
The GDPR also provides for a broader palette of corrective powers. For example, the effect of a ban on processing or the suspension of data flows can be much stronger than a financial penalty.
What are the main improvements that can be made for the future?
We have presented in the report a list of actions. The key objective at this stage is to support a harmonised and consistent implementation and enforcement of the GDPR across the EU.
This requires a strong engagement from all actors:
-making sure that national legislation, including sectoral ones, are fully in line with the GDPR;
-Member States providing data protection authorities with the necessary human, financial and technical resources to properly enforce the data protection rules but also reaching out to stakeholders, both citizens and - very importantly - SMEs;
-data protection authorities developing efficient working arrangements regarding the functioning of the cooperation and consistency mechanisms, including on procedural aspects;
-making full use of the toolbox under the GDPR to facilitate the application of the rules, for instance through codes of conduct;
-closely monitoring the application of the GDPR to new technologies such as AI, Internet of Things, blockchain.
As regards the international dimension, the Commission will continue to focus its efforts on promoting convergence of data protection rules as a way to ensure safe international data flows. This includes in the context of ongoing reforms for new or updated data protection laws, or the push for the ‘Data Free Flow with Trust' (DFFT) concept in multilateral fora. This work will also cover various adequacy dialogues and the modernisation and expansion of our transfer toolbox through updating the SCCs and laying the groundwork for certification mechanisms.
Who contributed to the report?
The report published today is the result of the Commission's consistent engagement since the period preceding the entry into application of the GDPR, with Member States, the European Data Protection Board (EDPB) and a wide range of stakeholders, on the practical application of the GDPR.
The report builds on the stocktaking exercise carried out by the Commission on the first year of application as summarised by the Commission in a Communication published in July 2019.
The report also builds on the Communication on the application of the GDPR published in January 2018, the Guidance issued by the Commission on the use of personal data in the electoral context published in September 2018, as well as the Guidance published by the Commission on apps supporting the fight against the coronavirus pandemic, published in April 2020.
The report also takes into account contributions from:
-the European Parliament (Committee on Civil Liberties, Justice and Home Affairs);
-the European Board and individual data protection authorities;
-the members of the multi-stakeholder expert group set up to support the application of the GDPR;
-and relevant stakeholders.
What are the next steps following this evaluation report?
The Commission will continue to use all the tools at its disposal to foster compliance by Member States with their obligations under the Regulation and to support the objectives pursued by the Regulation. The Commission will pursue its bilateral exchanges with Member States to get a full overview of the implementation of the Regulation.
In an international context, the Commission is stepping up its dialogue with regional organisations and networks that are increasingly playing a central role in shaping common data protection standards, as well as promoting the exchange of best practices and fostering cooperation between enforcers.
The Commission will monitor the implementation of improvements following this report, in view of the next evaluation report scheduled for 2024.
The Commission also published another Communication on data protection in the context of the prevention, investigation, detection and prosecution of criminal offences. Why is this important?
It is important to prevent fragmentation at EU level, and therefore important to ensure the full consistency of EU legislation with the GDPR and the other instruments of the EU data protection framework. This includes Directive (EU) 2016/680 - the Law Enforcement Directive - which covers data protection in the fields of police and criminal justice.
The Communication concerns ten legal acts on police and judicial cooperation in criminal matters and regulating the processing of data by competent authorities for the prevention, investigation, detection and prosecution of criminal offences, and sets out how the Commission intends to bring these acts - adopted before the entry into force of the Law Enforcement Directive - in line with the current data protection legislation. The Communication also includes a timetable setting out how the Commission will do this. These alignments to EU law are necessary to ensure a consistent approach and a high level of protection of personal data, as well as legal certainty and clarification of issues.